ServiceNow Syslog Probe
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎07-15-2022 04:32 AM
Good Afternoon All,
Our Security team have asked us a question about the Syslog probe (quoted below), we have reviewed the ServiceNow docs but they don't seem to specifically relate to their exact need. (We have Vulnerability Response module but not Sec Ops).
Has anyone done anything similar, or able to shed any light on how this could be achieved??
Any assistance greatly appreciated.
"We have log collectors located around the network collecting events from various systems and feeding them into a central SIEM platform. This includes logs from Domain Controllers relating to user account modifications in Active Directory. However, a significant amount of account modifications are now being carried out under the context of a service account as a result of automation workflows in ServiceNow. This has created specific challenges in terms of being able to monitor/alert on the activity undertaken by this highly-privileged service account.
One way to potentially address this would be to have specific events from ServiceNow forwarded to our SIEM platform via syslog, which could be automatically correlated with the events from Active Directory with some custom rules. For example, if a log event from ServiceNow shows the automation trigger for the service account to perform a specific modification, any alerts for that activity in Active Directory could be suppressed. We would then be able to alert only on activity by the service account that does not correlate with a trigger from ServiceNow i.e. to ensure that we maintain visibility in the event that the service account is compromised/used for malicious purposes."
- Labels:
-
Vulnerability Response
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
‎12-06-2022 07:45 AM
We have a somewhat similar need and there does not appear to be any out of box solution that I can find. We InfoSec team wants ALL admin activity sent to a syslog server. As best I can tell that will require a lot of custom Business Rules using the Syslog probe.